Security Compliance Standard

In my future career role of an Information Security Manager, I aspire to work in the field of Information Security Management. My responsibilities will include coordinating and executing security policies and controls, as well as assessing vulnerabilities within the company. I will also be responsible for data and network security, security systems management, and security violation investigation. One of the framework that closely relates to these is the international standard of ISO/IEC 27001.

What is ISO/IEC 27001?

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector to keep information assets secure.

How is it useful?

More and more organizations today are embracing online opportunities to promote their business and establish their position in the marketplace through the use of mobile devices and apps, not to mention social networking sites. While doing so, these companies are greatly increasing the number and sophistication of threats targeted at them. Today's companies have no choice but to protect themselves by implementing the ISO/IEC 27001 standard.

ISO/IEC 27001 provides a management framework for assessing and treating risks, whether cyber-oriented or otherwise, that can damage business, governments, and even the fabric of a country's national infrastructure.

How will it impact my role?

As an Information Security Manager, my chief responsibility will be establishing, implementing and continually improving the information security management system (ISMS) and act as an interface between the top management and the operational business areas. Knowledge about the key elements of the ISO/IEC 27001 standard will help me to correctly interpret and implement security measures in a practice oriented manner. The compliance of ISO/IEC 27001 will help me achieve the following tasks:

Technical:

·         Approve appropriate methods for the protection of mobile devices, computer networks and other communication channels

·         Propose authentication methods, password policy, encryption methods, etc.

·         Define required security features of Internet services

·         Define principles for secure development of information systems

·         Review logs of user activities in order to recognize suspicious behavior

Communication:

·         Define which type of communication channels are acceptable and which are not

·         Prepare communication equipment to be used in case of an emergency / disaster

Human resources management:

·         Perform background verification checks of job candidates

·         Prepare the training and awareness plan for information security

·         Perform continuous activities related to awareness raising

·         Performing induction training on security topics for new employees

·         Propose disciplinary actions against employees who performed the security breach

Relationship with top management:

·         Communicate the benefits of information security

·         Propose information security objectives and security improvements/corrective actions

·         Report on the results of measuring

·         Propose budget and other required resources for protecting the information

·         Notify top management about the main risks

·         Advise top executives on all security matters

Risk management:

·         Teach employees how to perform risk assessment

·         Propose the selection of safeguards

·         Propose the deadlines for safeguards implementation

Asset management:

·         Maintain an inventory of all important information assets

·         Delete the records that are not needed any more

·         Dispose of media and equipment no longer in use, in a secure way

Incident management:

·         Receive information about security incidents

·         Coordinate response to security incidents

·         Prepare evidence for legal action following an incident

·         Analyze incidents in order to prevent their recurrence

Business continuity:

·         Coordinate the business impact analysis process and the creation of response plans

·         Coordinate exercising and testing

·         Perform post-incident review of the recovery plans

Conclusion

For me to be an efficient Information Security Manager, it is imperative that I know what constitutes a security compliance standard and how to implement it in an organization. ISO/IEC 27001 is one such comprehensive security standard that will help both me and my company to maintain the confidentiality, integrity and availability of all our information and assets, as well as, protect against any potential cyber-attacks.

Sources:

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

http://www.itgovernance.co.uk

Moore’s Law and Data Warehouse

Gordon Moore, founder of Intel, made an observation in 1965 which stated that the number of transistors per square inch on integrated circuits had doubled every year since the integrated circuit had been invented. He predicted that this trend will continue in the foreseeable future. After more than 45 years, one can say he predicted correctly since there has been two folds increase in the processing power of computers every year.

It is a common misconception that the economics of data warehousing is possible today because of Moore’s law. It is believed that data warehousing is possible now because everything is less costly because of Moore’s law. But experts believe that the concepts of data warehousing and analytics, and not the economics, is feasible today only because of Moore’s law.

Back in 1990s, when the concept of data warehouses were emerging and being implemented, the data was just terabyte in size. With the increase in processing power, more and more data could be processed and today with the strong buzz about big data, the size of processed data has increased to petabytes. Data warehouses aren’t just bigger than a generation ago; they’re faster, support new data types, serve a wider range of business-critical functions, and are capable of providing actionable insights to anyone in the enterprise at any time or place. All of which makes the modern data warehouse more important than ever to business agility, innovation, and competitive advantage.

Below are some changes in the world of Data Warehouse, Business Intelligence and Big Data in recent times.

1. Big data analytics in the cloud

 Hadoop, a framework and set of tools for processing very large data sets, was originally designed to work on clusters of physical machines. That has changed. Now an increasing number of technologies are available for processing data in the cloud. Examples include Amazon’s Redshift hosted BI data warehouse, Google’s BigQuery data analytics service, IBM’s Bluemix cloud platform and Amazon’s Kinesis data processing service. The future state of big data could be a hybrid of on-premises and cloud.

 2. Hadoop: The new enterprise data operating system

Distributed analytic frameworks, such as MapReduce, are evolving into distributed resource managers that are gradually turning Hadoop into a general-purpose data operating system. With these systems enterprises can perform many different data manipulations and analytics operations by plugging them into Hadoop as the distributed file storage system. As SQL, MapReduce, in-memory, stream processing, graph analytics and other types of workloads are able to run on Hadoop with adequate performance, more businesses will use Hadoop as an enterprise data hub. The ability to run many different kinds of queries and data operations against data in Hadoop will make it a low-cost, general-purpose place to put data that enterprises want to be able to analyze.

3. In-memory analytics

The use of in-memory databases to speed up analytic processing is increasingly popular and highly beneficial in the right setting. Many businesses are already leveraging hybrid transaction/analytical processing (HTAP) — allowing transactions and analytic processing to reside in the same in-memory database. For systems where the user needs to see the same data in the same way many times during the day — and there’s no significant change in the data — in-memory is a waste of money. And while you can perform analytics faster with HTAP, all of the transactions must reside within the same database. The problem is that most analytics efforts today are about putting transactions from many different systems together. Just putting it all on one database goes back to this disproven belief that if you want to use HTAP for all of your analytics, it requires all of your transactions to be in one place. You still have to integrate diverse data. Moreover, bringing in an in-memory database means there’s another product to manage, secure, and figure out how to integrate and scale.

To conclude, data warehouses have had staying power because the concept of a central data repository which is fed by dozens or hundreds of databases, applications, and other source systems. It continues to be the best, most efficient way for companies to get an enterprise-wide view of their customers, supply chains, sales and operations. For this reason, businesses that have data warehouses are  upgrading and augmenting them with technologies such as Hadoop and in-memory processing, which help the 'big data' workloads that are much more bigger than before.